C0XMO Gafgyt Variant Exploits DD-WRT Routers to Build Cross-Architecture Botnet
A new Gafgyt botnet variant called C0XMO is actively targeting DD-WRT router firmware vulnerabilities to establish a botnet capable of spreading to multiple device architectures. This represents an evolution in router-targeting malware with potential for rapid propagation across heterogeneous IoT environments.
Affected
C0XMO represents a notable evolution of the Gafgyt botnet lineage. Rather than targeting stock router firmware, this variant specifically exploits vulnerabilities in DD-WRT, the popular open-source router firmware that attracts both enthusiasts and users seeking alternatives to vendor-supplied software. The choice of DD-WRT is strategic: it runs on diverse router hardware spanning ARM, MIPS, and potentially other CPU architectures, allowing a single malware campaign to compromise devices that would normally require separate binaries.
The technical innovation here centres on multi-architecture payload delivery. Historically, botnet authors had to compile separate binaries for each target architecture or rely on scripting languages. C0XMO's apparent ability to propagate across architecture boundaries suggests either automated reconnaissance and selective payload delivery, or pre-compiled multi-architecture support built into the initial infection vector. This reduces operational friction and increases infection velocity.
The reported behaviour of terminating rival malware indicates active botnet competition and resource contention on compromised devices. This is not uncommon in commodity malware ecosystems where multiple actors target the same vulnerable populations. The fact that C0XMO bothers to clean up competitors suggests the authors view infected routers as valuable persistent infrastructure worth defending.
Defenders should prioritise patching or isolating DD-WRT installations, particularly in production environments. Home users should verify their router firmware is current and consider whether custom firmware like DD-WRT is necessary for their use case. Network administrators should monitor for unusual outbound traffic from routers, apply ingress filtering to prevent botnet command-and-control communications, and treat compromised routers as full network compromises given their position on the trust boundary.
Broader implications concern the security model of alternative firmware projects. DD-WRT's popularity stems partly from dissatisfaction with vendor security practices, yet custom firmware introduces its own maintenance and patching challenges. The lack of security advisories or documented patch cycles for DD-WRT vulnerabilities may mean many deployed instances remain exploitable indefinitely. This creates a persistent attack surface for botnet operators.
Sources